Update to jdk-11.0.9+11

Update release notes for 11.0.9 release.
Add backport of JDK-8254177 to update to tzdata 2020b
Require tzdata 2020b due to resource changes in JDK-8254177
Fix directory ownership of static-libs package

.gitignore

@@ -69,3 +69,4 @@
 /jdk-updates-jdk11u-jdk-11.0.9+8-4curve.tar.xz
 /jdk-updates-jdk11u-jdk-11.0.9+9-4curve.tar.xz
 /jdk-updates-jdk11u-jdk-11.0.9+10-4curve.tar.xz
+/jdk-updates-jdk11u-jdk-11.0.9+11-4curve.tar.xz

NEWS

@@ -3,6 +3,408 @@ Key:
 JDK-X  - https://bugs.openjdk.java.net/browse/JDK-X
 CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
 
+New in release OpenJDK 11.0.9 (2020-10-20):
+===========================================
+Live versions of these release notes can be found at:
+  * https://bitly.com/openjdk1109
+  * https://builds.shipilev.net/backports-monitor/release-notes-11.0.9.txt
+
+* Security fixes
+  - JDK-8233624: Enhance JNI linkage
+  - JDK-8236196: Improve string pooling
+  - JDK-8236862, CVE-2020-14779: Enhance support of Proxy class
+  - JDK-8237990, CVE-2020-14781: Enhanced LDAP contexts
+  - JDK-8237995, CVE-2020-14782: Enhance certificate processing
+  - JDK-8240124: Better VM Interning
+  - JDK-8241114, CVE-2020-14792: Better range handling
+  - JDK-8242680, CVE-2020-14796: Improved URI Support
+  - JDK-8242685, CVE-2020-14797: Better Path Validation
+  - JDK-8242695, CVE-2020-14798: Enhanced buffer support
+  - JDK-8243302: Advanced class supports
+  - JDK-8244136, CVE-2020-14803: Improved Buffer supports
+  - JDK-8244479: Further constrain certificates
+  - JDK-8244955: Additional Fix for JDK-8240124
+  - JDK-8245407: Enhance zoning of times
+  - JDK-8245412: Better class definitions
+  - JDK-8245417: Improve certificate chain handling
+  - JDK-8248574: Improve jpeg processing
+  - JDK-8249927: Specify limits of jdk.serialProxyInterfaceLimit
+  - JDK-8253019: Enhanced JPEG decoding
+* Other changes
+  - JDK-6532025: GIF reader throws misleading exception with truncated images
+  - JDK-6949753: [TEST BUG]: java/awt/print/PageFormat/PDialogTest.java needs update by removing a infinite loop
+  - JDK-8022535: [TEST BUG] javax/swing/text/html/parser/Test8017492.java fails
+  - JDK-8062947: Fix exception message to correctly represent LDAP connection failure
+  - JDK-8067354: com/sun/jdi/GetLocalVariables4Test.sh failed
+  - JDK-8134599: TEST_BUG: java/rmi/transport/closeServerSocket/CloseServerSocket.java fails intermittently with Address already in use
+  - JDK-8151678: com/sun/jndi/ldap/LdapTimeoutTest.java failed due to timeout on DeadServerNoTimeoutTest is incorrect
+  - JDK-8160768: Add capability to custom resolve host/domain names within the default JNDI LDAP provider
+  - JDK-8172404: Tools should warn if weak algorithms are used before restricting them
+  - JDK-8193367: Annotated type variable bounds crash javac
+  - JDK-8202117: com/sun/jndi/ldap/RemoveNamingListenerTest.java fails intermittently: Connection reset
+  - JDK-8203026: java.rmi.NoSuchObjectException: no such object in table
+  - JDK-8203281: [Windows] JComboBox change in ui when editor.setBorder() is called
+  - JDK-8203382: Rename SystemDictionary::initialize_wk_klass to resolve_wk_klass
+  - JDK-8203393: com/sun/jdi/JdbMethodExitTest.sh and JdbExprTest.sh fail due to timeout
+  - JDK-8203928: [Test] Convert non-JDB scaffolding serviceability shell script tests to java
+  - JDK-8204963: javax.swing.border.TitledBorder has a memory leak
+  - JDK-8204994: SA might fail to attach to process with "Windbg Error: WaitForEvent failed"
+  - JDK-8205534: Remove SymbolTable dependency from serviceability agent
+  - JDK-8206309: Tier1 SA tests fail
+  - JDK-8208281: java/nio/channels/AsynchronousSocketChannel/Basic.java timed out
+  - JDK-8209109: [TEST] rewrite com/sun/jdi shell tests to java version - step1
+  - JDK-8209332: [TEST] test/jdk/com/sun/jdi/CatchPatternTest.sh is incorrect
+  - JDK-8209342: Problemlist SA tests on Solaris due to Error attaching to process: Can't create thread_db agent!
+  - JDK-8209343: Test javax/swing/border/TestTitledBorderLeak.java should be marked as headful
+  - JDK-8209517: com/sun/jdi/BreakpointWithFullGC.java fails with timeout
+  - JDK-8209604: [TEST] rewrite com/sun/jdi shell tests to java version - step2
+  - JDK-8209605: com/sun/jdi/BreakpointWithFullGC.java fails with ZGC
+  - JDK-8209608: Problem list com/sun/jdi/BreakpointWithFullGC.java
+  - JDK-8210131: vmTestbase/nsk/jvmti/scenarios/allocation/AP10/ap10t001/TestDescription.java failed with ObjectFree: GetCurrentThreadCpuTimerInfo returned unexpected error code
+  - JDK-8210243: [TEST] rewrite com/sun/jdi shell tests to java version - step3
+  - JDK-8210527: JShell: NullPointerException in jdk.jshell.Eval.translateExceptionStack
+  - JDK-8210560: [TEST] convert com/sun/jdi redefineClass-related tests
+  - JDK-8210725: com/sun/jdi/RedefineClearBreakpoint.java fails with waitForPrompt timed out after 60 seconds
+  - JDK-8210748: [TESTBUG] lib.jdb.Jdb.waitForPrompt() should clarify which output is the pending reply after a timeout
+  - JDK-8210760: [TEST] rewrite com/sun/jdi shell tests to java version - step4
+  - JDK-8210977: jdk/jfr/event/oldobject/TestThreadLocalLeak.java fails to find ThreadLocalObject
+  - JDK-8211292: [TEST] convert com/sun/jdi/DeferredStepTest.sh test
+  - JDK-8211694: JShell: Redeclared variable should be reset
+  - JDK-8212200: assert when shared java.lang.Object is redefined by JVMTI agent
+  - JDK-8212629: [TEST] wrong breakpoint in test/jdk/com/sun/jdi/DeferredStepTest
+  - JDK-8212665: com/sun/jdi/DeferredStepTest.java: jj1 (line 57) - unexpected. lastLine=52, minLine=52, maxLine=55
+  - JDK-8212807: tools/jar/multiRelease/Basic.java times out
+  - JDK-8213182: Minimal VM build failure after JDK-8212200 (assert when shared java.lang.Object is redefined by JVMTI agent)
+  - JDK-8213214: Set -Djava.io.tmpdir= when running tests
+  - JDK-8213275: ReplaceCriticalClasses.java fails with jdk.internal.vm.PostVMInitHook not found
+  - JDK-8213574: Deadlock in string table expansion when dumping lots of CDS classes
+  - JDK-8213703: LambdaConversionException: Invalid receiver type not a subtype of implementation type interface
+  - JDK-8214074: Ghash optimization using AVX instructions
+  - JDK-8214491: Upgrade to JLine 3.9.0
+  - JDK-8214797: TestJmapCoreMetaspace.java timed out
+  - JDK-8215243: JShell tests failing intermitently with \"Problem cleaning up the following threads:\"
+  - JDK-8215244: jdk/jshell/ToolBasicTest.java testHistoryReference failed
+  - JDK-8215354: x86_32 build failures after JDK-8214074 (Ghash optimization using AVX instructions)
+  - JDK-8215438: jshell tool: Ctrl-D causes EOF
+  - JDK-8216021: RunTest.gmk might set concurrency level to 1 on Windows
+  - JDK-8216974: HttpConnection not returned to the pool after 204 response
+  - JDK-8218948: SimpleDateFormat :: format - Zone Names are not reflected correctly during run time
+  - JDK-8219712: code_size2 (defined in stub_routines_x86.hpp) is too small on new Skylake CPUs
+  - JDK-8220150: macos10.14 Mojave returns anti-aliased glyphs instead of aliased B&W glyphs
+  - JDK-8221658: aarch64: add necessary predicate for ubfx patterns
+  - JDK-8221759: Crash when completing \"java.io.File.path\"
+  - JDK-8221918: runtime/SharedArchiveFile/serviceability/ReplaceCriticalClasses.java fails: Shared archive not found
+  - JDK-8222074: Enhance auto vectorization for x86
+  - JDK-8222079: Don't use memset to initialize fields decode_env constructor in disassembler.cpp
+  - JDK-8222769: [TESTBUG] TestJFRNetworkEvents should not rely on hostname command
+  - JDK-8223688: JShell: crash on the instantiation of raw anonymous class
+  - JDK-8223777: In posix_spawn mode, failing to exec() jspawnhelper does not result in an error
+  - JDK-8223940: Private key not supported by chosen signature algorithm
+  - JDK-8224184: jshell got IOException at exiting with AIX
+  - JDK-8224234: compiler/codegen/TestCharVect2.java fails in test_mulc
+  - JDK-8225037: java.net.JarURLConnection::getJarEntry() throws NullPointerException
+  - JDK-8225625: AES Electronic Codebook (ECB) encryption and decryption optimization using AVX512 + VAES instructions
+  - JDK-8226536: Catch OOM from deopt that fails rematerializing objects
+  - JDK-8226575: OperatingSystemMXBean should be made container aware
+  - JDK-8226697: Several tests which need the @key headful keyword are missing it.
+  - JDK-8226809: Circular reference in printed stack trace is not correctly indented & ambiguous
+  - JDK-8227059: sun/security/tools/keytool/DefaultSignatureAlgorithm.java timed out
+  - JDK-8227269: Slow class loading when running with JDWP
+  - JDK-8227595: keytool/fakegen/DefaultSignatureAlgorithm.java fails due to "exitValue = 6"
+  - JDK-8228448: Jconsole can't connect to itself
+  - JDK-8228967: Trust/Key store and SSL context utilities for tests
+  - JDK-8229378: jdwp library loader in linker_md.c quietly truncates on buffer overflow
+  - JDK-8229815: Upgrade Jline to 3.12.1
+  - JDK-8230000: some httpclients testng tests run zero test
+  - JDK-8230002: javax/xml/jaxp/unittest/transform/SecureProcessingTest.java runs zero test
+  - JDK-8230010: Remove jdk8037819/BasicTest1.java
+  - JDK-8230094: CCE in createXMLEventWriter(Result) over an arbitrary XMLStreamWriter
+  - JDK-8230402: Allocation of compile task fails with assert: "Leaking compilation tasks?"
+  - JDK-8230767: FlightRecorderListener returns null recording
+  - JDK-8230870: (zipfs) Add a ZIP FS test that is similar to test/jdk/java/util/zip/EntryCount64k.java
+  - JDK-8231209: [REDO] ThreadMXBean::getThreadAllocatedBytes() can be quicker for self thread
+  - JDK-8231586: enlarge encoding space for OopMapValue offsets
+  - JDK-8231953: Wrong assumption in assertion in oop::register_oop
+  - JDK-8231968: getCurrentThreadAllocatedBytes default implementation s/b getThreadAllocatedBytes
+  - JDK-8232083: Minimal VM is broken after JDK-8231586
+  - JDK-8232161: Align some one-way conversion in MS950 charset with Windows
+  - JDK-8232855: jshell missing word in /help help
+  - JDK-8233027: OopMapSet::all_do does oms.next() twice during iteration
+  - JDK-8233228: Disable weak named curves by default in TLS, CertPath, and Signed JAR
+  - JDK-8233386: Initialize NULL fields for unused decorations
+  - JDK-8233452: java.math.BigDecimal.sqrt() with RoundingMode.FLOOR results in incorrect result
+  - JDK-8233686: XML transformer uses excessive amount of memory
+  - JDK-8233741: AES Countermode (AES-CTR) optimization using AVX512 + VAES instructions
+  - JDK-8233829: javac cannot find non-ASCII module name under non-UTF8 environment
+  - JDK-8233958: Memory retention due to HttpsURLConnection finalizer that serves no purpose
+  - JDK-8234011: (zipfs) Memory leak in ZipFileSystem.releaseDeflater()
+  - JDK-8234058: runtime/CompressedOops/CompressedClassPointers.java fails with 'Narrow klass base: 0x0000000000000000' missing from stdout/stderr
+  - JDK-8234149: Several regression tests do not dispose Frame at end
+  - JDK-8234347: "Turkey" meta time zone does not generate composed localized names
+  - JDK-8234385: [TESTBUG] java/awt/EventQueue/6980209/bug6980209.java fails in linux nightly
+  - JDK-8234535: Cross compilation fails due to missing CFLAGS for the BUILD_CC
+  - JDK-8234541: C1 emits an empty message when it inlines successfully
+  - JDK-8234687: change javap reporting on unknown attributes
+  - JDK-8236464: SO_LINGER option is ignored by SSLSocket in JDK 11
+  - JDK-8236548: Localized time zone name inconsistency between English and other locales
+  - JDK-8236617: jtreg test containers/docker/TestMemoryAwareness.java fails after 8226575
+  - JDK-8237182: Update copyright header for shenandoah and epsilon files
+  - JDK-8237888: security/infra/java/security/cert/CertPathValidator/certification/LuxTrustCA.java fails when checking validity interval
+  - JDK-8237977: Further update javax/net/ssl/compatibility/Compatibility.java
+  - JDK-8238270: java.net HTTP/2 client does not decrease stream count when receives 204 response
+  - JDK-8238284: [macos] Zero VM build fails due to an obvious typo
+  - JDK-8238380: java.base/unix/native/libjava/childproc.c "multiple definition" link errors with GCC10
+  - JDK-8238386: (sctp) jdk.sctp/unix/native/libsctp/SctpNet.c "multiple definition" link errors with GCC10
+  - JDK-8238388: libj2gss/NativeFunc.o "multiple definition" link errors with GCC10
+  - JDK-8238448: RSASSA-PSS signature verification fail when using certain odd key sizes
+  - JDK-8238710: LingeredApp doesn't log stdout/stderr if exits with non-zero code
+  - JDK-8239083: C1 assert(known_holder == NULL || (known_holder->is_instance_klass() && (!known_holder->is_interface() || ((ciInstanceKlass*)known_holder)->has_nonstatic_concrete_methods())), "should be non-static concrete method");
+  - JDK-8239385: KerberosTicket client name refers wrongly to sAMAccountName in AD
+  - JDK-8240169: javadoc fails to link to non-modular api docs
+  - JDK-8240295: hs_err elapsed time in seconds is not accurate enough
+  - JDK-8240360: NativeLibraryEvent has wrong library name on Linux
+  - JDK-8240676: Meet not symmetric failure when running lucene on jdk8
+  - JDK-8241007: Shenandoah: remove ShenandoahCriticalControlThreadPriority support
+  - JDK-8241065: Shenandoah: remove leftover code after JDK-8231086
+  - JDK-8241086: Test runtime/NMT/HugeArenaTracking.java is failing on 32bit Windows
+  - JDK-8241130: com.sun.jndi.ldap.EventSupport.removeDeadNotifier: java.lang.NullPointerException
+  - JDK-8241138: http.nonProxyHosts=* causes StringIndexOutOfBoundsException in DefaultProxySelector
+  - JDK-8241319: WB_GetCodeBlob doesn't have ResourceMark
+  - JDK-8241478: vmTestbase/gc/gctests/Steal/steal001/steal001.java fails with OOME
+  - JDK-8241574: Shenandoah: remove ShenandoahAssertToSpaceClosure
+  - JDK-8241750: x86_32 build failure after JDK-8227269
+  - JDK-8242184: CRL generation error with RSASSA-PSS
+  - JDK-8242283: Can't start JVM when java home path includes non-ASCII character
+  - JDK-8242556: Cannot load RSASSA-PSS public key with non-null params from byte array
+  - JDK-8243029: Rewrite javax/net/ssl/compatibility/Compatibility.java with a flexible interop test framework
+  - JDK-8243138: Enhance BaseLdapServer to support starttls extended request
+  - JDK-8243320: Add SSL root certificates to Oracle Root CA program
+  - JDK-8243321: Add Entrust root CA - G4 to Oracle Root CA program
+  - JDK-8243389: enhance os::pd_print_cpu_info on linux
+  - JDK-8243453: java --describe-module failed with non-ASCII module name under non-UTF8 environment
+  - JDK-8243470: [macos] bring back O2 opt level for unsafe.cpp
+  - JDK-8243489: Thread CPU Load event may contain wrong data for CPU time under certain conditions
+  - JDK-8243925: Toolkit#getScreenInsets() returns wrong value on HiDPI screens (Windows)
+  - JDK-8244087: 2020-04-24 public suffix list update
+  - JDK-8244151: Update MUSCLE PC/SC-Lite headers to the latest release 1.8.26
+  - JDK-8244164: AArch64: jaotc generates incorrect code for compressed OOPs with non-zero heap base
+  - JDK-8244196: adjust output in os_linux
+  - JDK-8244225: stringop-overflow warning on strncpy call from compile_the_world_in
+  - JDK-8244287: JFR: Methods samples have line number 0
+  - JDK-8244703: "platform encoding not initialized" exceptions with debugger, JNI
+  - JDK-8244719: CTW: C2 compilation fails with "assert(!VerifyHashTableKeys || _hash_lock == 0) failed: remove node from hash table before modifying it"
+  - JDK-8244729: Shenandoah: remove resolve paths from SBSA::generate_shenandoah_lrb
+  - JDK-8244763: Update --release 8 symbol information after JSR 337 MR3
+  - JDK-8244818: Java2D Queue Flusher crash while moving application window to external monitor
+  - JDK-8245151: jarsigner should not raise duplicate warnings on verification
+  - JDK-8245616: Bump update version for OpenJDK: jdk-11.0.9
+  - JDK-8245714: "Bad graph detected in build_loop_late" when loads are pinned on loop limit check uncommon branch
+  - JDK-8245801: StressRecompilation triggers assert "redundunt OSR recompilation detected. memory leak in CodeCache!"
+  - JDK-8245832: JDK build make-static-libs should build all JDK libraries
+  - JDK-8245880: Shenandoah: check class unloading flag early in concurrent code root scan
+  - JDK-8245981: Upgrade to jQuery 3.5.1
+  - JDK-8246027: Minimal fastdebug build broken after JDK-8245801
+  - JDK-8246094: [macos] Sound Recording and playback is not working
+  - JDK-8246153: TestEliminateArrayCopy fails with -XX:+StressReflectiveCode
+  - JDK-8246193: Possible NPE in ENC-PA-REP search in AS-REQ
+  - JDK-8246196: javax/management/MBeanServer/OldMBeanServerTest fails with AssertionError
+  - JDK-8246203: Segmentation fault in verification due to stack overflow with -XX:+VerifyIterativeGVN
+  - JDK-8246330: Add TLS Tests for Legacy ECDSA curves
+  - JDK-8246453: TestClone crashes with "all collected exceptions must come from the same place"
+  - JDK-8247246: Add explicit ResolvedJavaType.link and expose presence of default methods
+  - JDK-8247350: [aarch64] assert(false) failed: wrong size of mach node
+  - JDK-8247502: PhaseStringOpts crashes while optimising effectively dead code
+  - JDK-8247615: Initialize the bytes left for the heap sampler
+  - JDK-8247824: CTW: C2 (Shenandoah) compilation fails with SEGV in SBC2Support::pin_and_expand
+  - JDK-8247874: Replacement in VersionProps.java.template not working when --with-vendor-bug-url contains '&'
+  - JDK-8247979: aarch64: missing side effect of killing flags for clearArray_reg_reg
+  - JDK-8248214: Add paddings for TaskQueueSuper to reduce false-sharing cache contention
+  - JDK-8248219: aarch64: missing memory barrier in fast_storefield and fast_accessfield
+  - JDK-8248348: Regression caused by the update to BCEL 6.0
+  - JDK-8248385: [testbug][11u] Adapt TestInitiExceptions to jtreg 5.1
+  - JDK-8248495: [macos] zerovm is broken due to libffi headers location
+  - JDK-8248851: CMS: Missing memory fences between free chunk check and klass read
+  - JDK-8248987: AOT's Linker.java seems to eagerly fail-fast on Windows
+  - JDK-8249159: Downport test rework for SSLSocketTemplate from 8224650
+  - JDK-8249215: JFrame::setVisible crashed with -Dfile.encoding=UTF-8 on Japanese Windows.
+  - JDK-8249251: [dark_mode ubuntu 20.04] The selected menu is not highlighted in GTKLookAndFeel
+  - JDK-8249255: Build fails if source code in cygwin home dir
+  - JDK-8249277: TestVerifyIterativeGVN.java is failing with timeout in OpenJDK 11
+  - JDK-8249278: Revert JDK-8226253 which breaks the spec of AccessibleState.SHOWING for JList
+  - JDK-8249560: Shenandoah: Fix racy GC request handling
+  - JDK-8249801: Shenandoah: Clear soft-refs on requested GC cycle
+  - JDK-8249953: Shenandoah: gc/shenandoah/mxbeans tests should account for corner cases
+  - JDK-8250582: Revert Principal Name type to NT-UNKNOWN when requesting TGS Kerberos tickets
+  - JDK-8250609: C2 crash in IfNode::fold_compares
+  - JDK-8250627: Use -XX:+/-UseContainerSupport for enabling/disabling Java container metrics
+  - JDK-8250755: Better cleanup for jdk/test/javax/imageio/plugins/shared/CanWriteSequence.java
+  - JDK-8250787: Provider.put no longer registering aliases in FIPS env
+  - JDK-8250826: jhsdb does not work with coredump which comes from Substrate VM
+  - JDK-8250827: Shenandoah: needs to reset/finish StringTable's dead count before/after parallel walk
+  - JDK-8250844: Make sure {type,obj}ArrayOopDesc accessors check the bounds
+  - JDK-8251117: Cannot check P11Key size in P11Cipher and P11AEADCipher
+  - JDK-8251354: Shenandoah: Fix jdk/jfr/tool/TestPrintJSON.java test failure
+  - JDK-8251451: Shenandoah: Remark ObjectSynchronizer roots with I-U
+  - JDK-8251469: Better cleanup for test/jdk/javax/imageio/SetOutput.java
+  - JDK-8251487: Shenandoah: missing detail timing tracking for final mark cleaning phase
+  - JDK-8252120: compiler/oracle/TestCompileCommand.java misspells "occured"
+  - JDK-8252157: JDK-8231209 11u backport breaks jmm binary compatibility
+  - JDK-8252258: [11u] JDK-8242154 changes the default vendor
+  - JDK-8252804: [test] Fix 'ReleaseDeflater.java' test after downport of 8234011
+  - JDK-8253134: JMM_VERSION should remain at 0x20020000 (JDK 10) in JDK 11
+  - JDK-8253283: [11u] Test build/translations/VerifyTranslations.java failing after JDK-8252258
+  - JDK-8253813: Backout JDK-8244287 from 11u: it causes several crashes
+
+Notes on individual issues:
+===========================
+
+core-libs/java.nio.charsets:
+
+JDK-8240196: Modified the MS950 charset Encoder's Conversion Table
+==================================================================
+In this release, some of the one-way byte-to-char mappings have been
+aligned with the preferred mappings provided by the Unicode Consortium
+(https://unicode.org/Public/MAPPINGS/VENDORS/MICSFT/WindowsBestFit/bestfit950.txt).
+
+core-libs/java.util:i18n:
+
+JDK-8238914: Localized Time Zone Name Inconsistency Between English and Other Locales
+=====================================================================================
+English time zone names provided by the CLDR locale provider are now
+correctly synthesized following the CLDR spec, rather than substituted
+from the COMPAT provider. For example, SHORT style names are no longer
+synthesized abbreviations of LONG style names, but instead produce GMT
+offset formats.
+
+core-svc/java.lang.management:
+
+JDK-8236876: OperatingSystemMXBean Methods Inside a Container Return Container Specific Data
+============================================================================================
+When executing in a container, or other virtualized operating
+environment, the following `OperatingSystemMXBean` methods in this
+release return container specific information, if
+available. Otherwise, they return host specific data:
+
+* getFreePhysicalMemorySize()
+* getTotalPhysicalMemorySize()
+* getFreeSwapSpaceSize()
+* getTotalSwapSpaceSize()
+* getSystemCpuLoad()
+
+security-libs/java.security:
+
+JDK-8250756: Added Entrust Root Certification Authority - G4 certificate
+========================================================================
+The Entrust root certificate has been added to the cacerts truststore:
+
+Alias Name: entrustrootcag4
+Distinguished Name: CN=Entrust Root Certification Authority - G4, OU="(c) 2015 Entrust,  Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
+
+JDK-8250860: Added 3 SSL Corporation Root CA Certificates
+=========================================================
+The following root certificates have been added to the cacerts truststore for the SSL Corporation:
+
+Alias Name: sslrootrsaca
+Distinguished Name: CN=SSL.com Root Certification Authority RSA, O=SSL Corporation, L=Houston, ST=Texas, C=US
+
+Alias Name: sslrootevrsaca
+Distinguished Name: CN=SSL.com EV Root Certification Authority RSA R2, O=SSL Corporation, L=Houston, ST=Texas, C=US
+
+Alias Name: sslrooteccca
+Distinguished Name: CN=SSL.com Root Certification Authority ECC, O=SSL Corporation, L=Houston, ST=Texas, C=US
+
+JDK-8236730: Weak Named Curves in TLS, CertPath, and Signed JAR Disabled by Default
+===================================================================================
+Weak named curves are disabled by default by adding them to the
+following `disabledAlgorithms` security properties:
+
+* jdk.tls.disabledAlgorithms
+* jdk.certpath.disabledAlgorithms
+* jdk.jar.disabledAlgorithms
+
+Red Hat has always disabled many of the curves provided by upstream,
+so the only addition in this release is:
+
+* secp256k1
+
+The curves that remain enabled are:
+
+* secp256r1
+* secp384r1
+* secp521r1
+* X25519
+* X448
+
+When large numbers of weak named curves need to be disabled, adding
+individual named curves to each `disabledAlgorithms` property would be
+overwhelming. To relieve this, a new security property,
+`jdk.disabled.namedCurves`, is implemented that can list the named
+curves common to all of the `disabledAlgorithms` properties. To use
+the new property in the `disabledAlgorithms` properties, precede the
+full property name with the keyword `include`.  Users can still add
+individual named curves to `disabledAlgorithms` properties separate
+from this new property.  No other properties can be included in the
+`disabledAlgorithms` properties.
+
+To restore the named curves, remove the `include
+jdk.disabled.namedCurves` either from specific or from all
+`disabledAlgorithms` security properties. To restore one or more
+curves, remove the specific named curve(s) from the
+`jdk.disabled.namedCurves` property.
+
+JDK-8244286: Tools Warn If Weak Algorithms Are Used Before Restricting Them
+===========================================================================
+The `keytool` and `jarsigner` tools have been updated to warn users
+about weak cryptographic algorithms being used before they are
+disabled. In this release, the tools issue warnings for the SHA-1 hash
+algorithm and 1024-bit RSA/DSA keys.
+
+security-libs/javax.net.ssl:
+
+JDK-8242147: New System Properties to Configure the TLS Signature Schemes
+=========================================================================
+Two new system properties have been added to customize the TLS
+signature schemes in JDK. `jdk.tls.client.SignatureSchemes` has been
+added for the TLS client side, and `jdk.tls.server.SignatureSchemes`
+has been added for the server side.
+
+Each system property contains a comma-separated list of supported
+signature scheme names specifying the signature schemes that could be
+used for the TLS connections.
+
+The names are described in the "Signature Schemes" section of the
+*Java Security Standard Algorithm Names Specification*.
+
+security-libs/javax.security:
+
+JDK-8242059: Support for canonicalize in krb5.conf
+==================================================
+
+The 'canonicalize' flag in the [krb5.conf file][0] is now supported by
+the JDK Kerberos implementation. When set to *true*, RFC 6806 [1] name
+canonicalization is requested by clients in TGT requests to KDC
+services (AS protocol). Otherwise, and by default, it is not
+requested.
+
+The new default behavior is different from previous releases where
+name canonicalization was always requested by clients in TGT requests
+to KDC services (provided that support for RFC 6806[1] was not
+explicitly disabled with the *sun.security.krb5.disableReferrals*
+system or security properties).
+
+[0]: https://web.mit.edu/kerberos/krb5-devel/doc/admin/conf_files/krb5_conf.html
+[1]: https://tools.ietf.org/html/rfc6806
+
+JDK-8254177: US/Pacific-New Zone name removed as part of tzdata2020b
+====================================================================
+Following JDK's update to tzdata2020b, the long-obsolete files
+pacificnew and systemv have been removed. As a result, the
+"US/Pacific-New" zone name declared in the pacificnew data file is no
+longer available for use.
+
+Information regarding the update can be viewed at
+https://mm.icann.org/pipermail/tz-announce/2020-October/000059.html
+
 New in release OpenJDK 11.0.8 (2020-07-14):
 ===========================================
 Live versions of these release notes can be found at:

java-11-openjdk.spec

@@ -258,7 +258,7 @@
 %global origin_nice     OpenJDK
 %global top_level_dir_name   %{origin}
 %global minorver        0
-%global buildver        10
+%global buildver        11
 %global rpmrelease      0
 #%%global tagsuffix      ""
 # priority must be 8 digits in total; untill openjdk 1.8 we were using 18..... so when moving to 11 we had to add another digit
@@ -276,7 +276,7 @@
 # Release will be (where N is usually a number starting at 1):
 # - 0.N%%{?extraver}%%{?dist} for EA releases,
 # - N%%{?extraver}{?dist} for GA releases
-%global is_ga           0
+%global is_ga           1
 %if %{is_ga}
 %global ea_designator ""
 %global ea_designator_zip ""
@@ -847,6 +847,9 @@ exit 0
 }
 
 %define files_static_libs() %{expand:
+%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static
+%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}
+%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc
 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc/lib*.a
 }
 
@@ -904,7 +907,7 @@ Requires: ca-certificates
 Requires: javapackages-filesystem
 # Require zone-info data provided by tzdata-java sub-package
 # 2020a required as of JDK-8243541 in 11.0.8+4
-Requires: tzdata-java >= 2020a
+Requires: tzdata-java >= 2020b
 # for support of kernel stream control
 # libsctp.so.1 is being `dlopen`ed on demand
 Requires: lksctp-tools%{?_isa}
@@ -1117,34 +1120,20 @@ Patch4: pr3694-rh1340845-support_fedora_rhel_system_crypto_policy.patch
 Patch6:    rh1566890-CVE_2018_3639-speculative_store_bypass.patch
 # PR3695: Allow use of system crypto policy to be disabled by the user
 Patch7: pr3695-toggle_system_crypto_policy.patch
-# S390 ambiguous log2_intptr call
+
+#############################################
+#
+# Patches appearing in 11.0.10
+#
+# This section includes patches which are present
+# in the listed OpenJDK 11u release and should be
+# able to be removed once that release is out
+# and used by this RPM.
+#############################################
+# JDK-8222286: S390 ambiguous log2_intptr call
 Patch8: s390-8214206_fix.patch
-
-#############################################
-#
-# Patches appearing in 11.0.8
-#
-# This section includes patches which are present
-# in the listed OpenJDK 11u release and should be
-# able to be removed once that release is out
-# and used by this RPM.
-#############################################
-
-#############################################
-#
-# Patches appearing in 11.0.9
-#
-# This section includes patches which are present
-# in the listed OpenJDK 11u release and should be
-# able to be removed once that release is out
-# and used by this RPM.
-#############################################
-
-#############################################
-#
-# JDK 9+ only patches
-#
-#############################################
+# JDK-8254177: (tz) Upgrade time-zone data to tzdata2020b
+Patch9: jdk8254177-tzdata2020b.patch
 
 BuildRequires: autoconf
 BuildRequires: automake
@@ -1182,8 +1171,8 @@ BuildRequires: java-%{buildjdkver}-openjdk-devel
 %ifnarch %{jit_arches}
 BuildRequires: libffi-devel
 %endif
-# 2020a required as of JDK-8243541 in 11.0.8+4
-BuildRequires: tzdata-java >= 2020a
+# 2020b required as of JDK-8254177 in October CPU
+BuildRequires: tzdata-java >= 2020b
 # Earlier versions have a bug in tree vectorization on PPC
 BuildRequires: gcc >= 4.8.3-8
 
@@ -1396,6 +1385,7 @@ pushd %{top_level_dir_name}
 %patch6 -p1
 %patch7 -p1
 %patch8 -p1
+%patch9 -p1
 popd # openjdk
 
 %patch1000
@@ -1963,6 +1953,15 @@ require "copy_jdk_configs.lua"
 
 
 %changelog
+* Mon Oct 19 2020 Severin Gehwolf <sgehwolf@redhat.com> - 1:11.0.9.11-0
+- Fix directory ownership of static-libs package
+
+* Thu Oct 15 2020 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.9.11-0
+- Update to jdk-11.0.9+11
+- Update release notes for 11.0.9 release.
+- Add backport of JDK-8254177 to update to tzdata 2020b
+- Require tzdata 2020b due to resource changes in JDK-8254177
+
 * Mon Oct 05 2020 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.9.10-0.0.ea
 - Update to jdk-11.0.9+10 (EA)
 

sources

@@ -1,2 +1,2 @@
 SHA512 (tapsets-icedtea-3.15.0.tar.xz) = c752a197cb3d812d50c35e11e4722772be40096c81d2a57933e0d9b8a3c708b9c157b8108a4e33a06ca7bb81648170994408c75d6f69d5ff12785d0c31009671
-SHA512 (jdk-updates-jdk11u-jdk-11.0.9+10-4curve.tar.xz) = 58c181b24374e711c1dc0d4bf636ba5dc2b51defcdc00c38cea9bc20572e9ae376f239994e98ae795f14a92890d792fe0095617b2173986d4c45dc45eeaf264c
+SHA512 (jdk-updates-jdk11u-jdk-11.0.9+11-4curve.tar.xz) = 09234290f4e285e921082fb7ddfed3000155f08cb8e63970f2f123cf1c2e1980aebae2ca71faa76a6ba2c0836937ed8ee0b7ab0f53b73a712a00e777a7b2d4ac